DSSE support

[tri-adam]

Add Dead Simple Signing Envelope (DSSE) encoder/decoder, which provides a way to utilize non-PGP key material. In practice, this currently includes ECDSA, ED25519, RSA.

I'm pulling in a couple of new dependencies as part of this work:

• github.com/sigstore/sigstore - mainly for the Signer and Verifier interfaces, which seem to be high quality. I intent to use these in the public API in a follow-up PR, so careful consideration about this approach would be warranted.
• github.com/secure-systems-lab/go-securesystemslib - reference implementation for DSSE signing/verifying.

It's worth noting that the Sigstore dependency does have a DSSE package, which uses github.com/secure-systems-lab/go-securesystemslib under the hood. I'm consciously choosing not to use it here as it's useful to have access to AcceptedKey when verifying, and it doesn't materially change the dependency tree.

[codecov-commenter]

Codecov Report

Merging #228 (73fc07a) into main (831d6b6) will decrease coverage by 0.07%.
The diff coverage is 70.47%.

@@            Coverage Diff             @@
##             main     #228      +/-   ##
==========================================
- Coverage   72.61%   72.53%   -0.08%     
==========================================
  Files          34       35       +1     
  Lines        2713     2818     +105     
==========================================
+ Hits         1970     2044      +74     
- Misses        600      622      +22     
- Partials      143      152       +9     

Impacted Files	Coverage Δ
pkg/integrity/dsse.go	68.68% <68.68%> (ø)
pkg/integrity/result.go	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[dtrudg]

This LGTM. I've had a read around DSSE and am definitely in favor of using that over implementing specific X509 handling directly in SIF. Usage in sigstore, TUF, is as much of guarantee as I think we are going to get that it'll be maintained and broadly understood.